Cloud Firewall:Configure a VPC firewall for an Enterprise Edition transit router

Feature description

Implementation

After you enable a VPC firewall, Cloud Firewall filters traffic between VPCs based on deep packet inspection (DPI)-based traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, Cloud Firewall checks whether the traffic matches the specified conditions, and blocks unauthorized traffic. This ensures the security of the traffic between internal-facing assets.

The following figure provides an example of a VPC firewall created for an Enterprise Edition transit router.

For more information about the protection scope, see What is Cloud Firewall?

Impacts

You can create a VPC firewall with a few clicks and configure the traffic redirection mode without the need to change the current network topology. You can set the traffic redirection mode to the automatic or manual mode. Your workloads are not affected during the creation. The creation duration is approximately 5 minutes. We recommend that you enable a VPC firewall during off-peak hours.

In automatic traffic redirection mode, the system requires approximately 5 minutes to 30 minutes to enable or disable a VPC firewall. The duration varies based on the number of routes. Your workloads are not affected.

In manual traffic redirection mode, if you enable or disable a VPC firewall, your workloads are affected. The time period during which your workloads are affected varies based on traffic redirection configurations.

Limits

• Before you enable a VPC firewall, make sure that a VPC named Cloud_Firewall_VPC is created and the VPC quota within your account is sufficient. For more information about the VPC quota, see Limits and quotas.

• The automatic traffic redirection mode is not supported in the following scenarios:

  • A static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router.

  • Multiple traffic redirection scenarios are configured for VPCs, VBRs, or transit routers.

  • Basic Edition transit routers are added to the automatic traffic redirection mode.

  • Transit routers have route conflicts.

  • The VPC prefix list feature is used.

• VPN gateways that are directly associated with VPCs by using the IPSec-VPN or SSL VPN feature are not supported. However, VPN gateways that are added to transit routers by using an IPsec-VPN connection are supported. For more information, see Associate IPsec-VPN connections with transit routers.

• VPC firewalls cannot protect traffic of IPv6 addresses.

Create a VPC firewall and configure a traffic redirection mode

Prerequisites

• Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

  Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to create VPC firewalls for Enterprise Edition transit routers.

• Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

• A CEN instance is purchased. VPCs are connected by using an Enterprise Edition transit router, or on-premises resources are connected to Alibaba Cloud. For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks and Use Enterprise Edition transit routers to connect VPCs across regions and accounts.

  Note

  If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall runs Ultimate Edition and is authorized to access all VPCs. Otherwise, VPC firewalls cannot be created. We recommend that you complete the authorization or upgrade Cloud Firewall to Ultimate Edition before you create a VPC firewall. To complete the authorization, you must use your Alibaba Cloud account to log on to the Cloud Firewall console. For more information, see Authorize Cloud Firewall to access other cloud resources and Upgrade and downgrade Cloud Firewall.

• The regions in which your network resources reside are supported by the VPC Firewall feature. Otherwise, you cannot create VPC firewalls. For more information, see Supported regions.

Procedure

1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

2. On the Firewall Settings page, click the VPC Firewall tab.

3. On the VPC Firewall tab, click the CEN (Enterprise Edition) tab.

4. Find the transit router for which you want to create a VPC firewall and click Create in the Actions column.

   If no available asset is displayed in the asset list, you can click Synchronize Assets to synchronize the information about the assets within the current Alibaba Cloud account and members of the Alibaba Cloud account.

   Automatic (Recommended)

   In automatic traffic redirection mode, you can create a traffic forwarding scenario for network instances based on your business requirements. The VPC Firewall feature automatically configures routing in the Enterprise Edition transit router based on the scenario and creates an elastic network interface (ENI) for the VPC firewall to redirect traffic.

   1. In the Create VPC Firewall panel, configure the following parameters and click Check Now. After the check is complete, click Next.

      Parameter	Description
      Firewall Basic Information	Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
      VPC Configurations of Firewall	Allocate a CIDR block to the VPC that is automatically created for the VPC firewall and allocate three subnet CIDR blocks from the specified CIDR block to the vSwitches associated with the VPC. The mask of each subnet CIDR block must be less than or equal to 28 bits in length, and each subnet CIDR block cannot conflict with your network plan. If your service is latency-sensitive, we recommend that you use the same primary and secondary zones for the vSwitches of the VPC that is created for the VPC firewall and the VPC that is used in your workloads. This helps reduce latency. The first zone that you select for Available vSwitch Regions is the primary zone, and the second is the secondary zone. If you do not configure Available vSwitch Regions, Cloud Firewall automatically allocates zones.
      Intrusion Prevention	Specify the working mode of the IPS and the intrusion prevention policies that you want to enable. IPS Mode Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patching: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

   2. After the VPC firewall is created, click Next. Configure a traffic redirection scenario based on the following table.

      You can also configure a traffic redirection scenario later. To configure a traffic redirection scenario, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the required transit router, and then click Configure Now in the Firewall Status column. On the Traffic Redirection Scenario tab of the panel that appears, click Immediately Create Traffic Redirection Scenario. In the Create Traffic Redirection Scenario panel, configure the parameters.

      Parameter	Description
      Basic Information	Template Name: Specify a name for the traffic redirection template.
      Select a scenario	Select the type of the scenario in which the VPC firewall manages and protects traffic. Instance-Instance: If you select this option, Cloud Firewall manages traffic between two network elements. This option is suitable for simple network topologies. Instance to Instances: If you select this option, Cloud Firewall manages traffic between one network element and multiple network elements. This option is suitable for star network topologies. If you select this option, you can set Instance Type to All for the secondary instance. This way, Cloud Firewall manages all traffic of the primary instance. This configuration is equivalent to a traffic redirection scenario of a VPC firewall created for a Basic Edition transit router. Important If a routing policy whose Routing Policy Action is set to Deny is associated with the route table of the transit router, the Instance to Instances type is not supported. We recommend that you select the Interconnected Instances type. Interconnected Instances: If you select this option, Cloud Firewall manages traffic between multiple network elements. This option is suitable for full mesh network topologies. Note Network elements are network instances that are connected by using Enterprise Edition transit routers. The network elements can be VPCs, VBRs, or transit routers.
      Select Traffic Redirection Instance	Configure Instance Type and Instance ID.

      Important

      In automatic traffic redirection mode, the number of VPCs that can be protected is calculated based on the number of network elements configured for the traffic redirection scenario. The network elements can be VPCs, transit routers, VBRs, or VPN gateways.

   3. Click OK.

      The creation process requires approximately 30 minutes to complete. After the traffic redirection scenario is created, Cloud Firewall protects traffic between the network instances that are connected by using the transit router.

   After you create the VPC firewall, the VPC firewall is automatically enabled. Cloud Firewall automatically creates the following resources:

   • A VPC named Cloud_Firewall_VPC.

     Important

     Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not manually modify or delete the network resources in Cloud_Firewall_VPC.

   • A vSwitch named Cloud_Firewall_VSWITCH.

   • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

   Manual

   In manual traffic redirection mode, you must create an elastic network interface (ENI) for the VPC firewall in the Enterprise Edition transit router and configure routes to redirect traffic to the ENI.

   Important

   In manual traffic redirection mode, you must select a VPC that is attached to the CEN instance and a vSwitch that is available. In addition, you must renew your Cloud Firewall at the earliest opportunity before it expires. If your Cloud Firewall expires, the features of Cloud Firewall become unavailable, and traffic cannot be redirected to the VPC firewall that you created. As a result, network interruptions occur.

   1. In the Create VPC Firewall panel, configure the parameters.

      Parameter	Description
      Firewall Basic Information	Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements. VPC: Select the VPC for which you want to create a VPC firewall. vSwitch: Select a vSwitch for the VPC firewall.
      Intrusion Prevention	Specify the working mode of the IPS and the intrusion prevention policies that you want to enable. IPS Mode Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a C&C server. Virtual Patching: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

   2. Click Start Creation.

   Note

   If you add or delete routes in your VPC route table after you enable a VPC firewall, wait for 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

   After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action is set to Allow to the security group. This way, traffic to the VPC firewall is allowed.

   Important

   Do not delete the security group Cloud_Firewall_Security_Group or the security group rule whose Action is set to Allow. Otherwise, network interruptions may occur.

   Warning

   • If you change the vSwitch and route table after a VPC firewall is created, network interruptions may occur.

   • If you disable or delete a VPC firewall that is created for an Enterprise Edition transit router in manual traffic redirection mode, network interruptions may occur.

   If you want to perform batch operations on VPC firewalls or if you frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.

Related operations

Modify the configurations of the automatic traffic redirection mode

If you want to modify the configurations of the automatic traffic redirection mode, or your business no longer requires the automatic traffic redirection mode, find the transit router of the CEN instance and click Details in the Actions column. In the VPC Firewall Details panel, click the Traffic Redirection Scenario tab and perform the following operations based on your business requirements:

Disable a traffic redirection scenario

1. Turn off the switch for an enabled traffic redirection scenario in the scenario card.

2. In the Disable Traffic Redirection Scenario dialog box, disable the traffic redirection scenario by using the Withdraw Route or Roll Back Route method.

   • Withdraw Route (Recommended): If you select this option, the routes that are specified when you create the traffic redirection scenario are removed. The route tables that are created by the firewall are retained. The period of time that the process requires varies based on the number of routes. Wait until the scenario is disabled.

   • Roll Back Route: If you select this option, the route table that is configured before the traffic redirection scenario is created is restored. The route table that is created by the firewall is deleted. After you select Roll Back Route, the information about the route table that is configured before the traffic redirection scenario is created is automatically displayed. Make sure that the route table that is configured before the traffic redirection scenario is created is available.

3. Click OK.

   Important

   The disable operation cannot be cancelled. Before you disable a traffic redirection scenario, make sure that you no longer require the scenario. After the scenario is disabled, check whether your workloads are normal at the earliest opportunity.

Delete a traffic redirection scenario

Move the pointer over the card of the scenario that you want to delete and click Delete. Before you delete an automatic traffic redirection scenario, you must disable the scenario.

Modify a traffic redirection scenario

Move the pointer over the card of the scenario that you want to modify and click Edit.

View the details of routes

Move the pointer over the card of the scenario whose route details you want to view and click Route Details. You can view the details of the routes that are configured for the VPC firewall.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the transit router for which the VPC firewall is created, and then click Edit or Delete in the Actions column.

Modify IPS configurations

If you want to modify the IPS configurations for a VPC firewall, find the VPC firewall and click Configure IPS in the Actions column. On the IPS Configuration page, click the VPC Border tab and perform the required operation. For example, you can modify the IPS mode, modify the configurations of IPS features, allow traffic of specific source or destination IP addresses that are in IP address whitelists, and modify the policies of IPS features. For more information, see IPS configuration.

References

• Overview

• Are the security group rules in ECS affected after VPC Firewall is enabled?

• Why am I prompted that unauthorized network instances exist when I create a VPC firewall?